FR3038758A1 - MANAGEMENT OF IDENTITY AND ACCESS TO PHYSICAL INFRASTRUCTURE AND INFORMATION SYSTEMS - Google Patents

Abstract

The present invention relates to a centralized security system for the intelligent management of identities and intra and extra-mural perimeter access rights to the information system (IS) and cloud by means of mobile and / or fixed equipment with a transponder system. several independent authentication factors: biometrics, geolocation, unique ID, proprietary encryption and random dynamic virtual keypad with infinite combination encryption both unique to each user and including real-time and continuous presence management with instant messaging a predefined space using Delay Tolerant Networks (DTN) technology that adopts a "store and forward" logic. The architectural design we have studied centralizes the single-point governance of the SI and there can no longer be a dormant and / or outdated ghost profile. The management of authorizations is itself reinforced by a virtual embedded system that is formed only when the person is logging in order to have access to his resources. For strong authentication we use a random and dynamic virtual keyboard as well as a proprietary encryption that guarantees the security of the randomly generated temporary unique identifiers, together with a biometric authentication, of the geolocation to verify the authentication with a transponder link which enhances security and a repudiation system should an anomaly occur during authentication. Our centralized security device finds its place within SME-SMI, Administrations, cloud .... to access information safely and risk-free internally and by web offering optimal security. Example of use: sales force sales management, presence and physical access management, defense clearance management, private club, online poker.

Description

Description of the invention

Centralized security platform for the management of identities and LAN and WAN access rights to information system (IS) and cloud using one or more mobile terminals with transponder system with several independent authentication factors: biometrics, geolocation, unique ID, equipped with proprietary encryption and a dynamic and random virtual keyboard both unique for each application, including real-time and continuous presence management.

Technical Field: The present invention relates to a centralized security system that administers, controls and monitors the access of users to resources, applications and information internally and by web using a mobile (smartphone, tablet) by offering a optimal security with several independent authentication factors (biometrics, unique ID, geolocation, encryption and unique dynamic virtual keyboard) linked to a transponder guaranteeing access to critical and relevant information of the company while respecting the importance of the Visibility and control regarding each other's rights and access permissions, real-time and continuous presence management will be done using Delay Tolerant Networks (DTN) technology which is a technology for communication in "extreme" conditions "which adopt a" store and forward "logic, more adapted to intermittent connectivities, and to links to lat high rate and high bit error rate.

PRIOR ART: We know so far various solutions for administering, controlling and monitoring user access to resources, applications and information. Their security levels go by default, from the weakness of the purely declarative character to the "regal identity" established in a strong way. Authentication devices available in online services are varied. The most common are based on passwords, with more or less complex requirements (lengths, special characters, ...); the more advanced authentication devices are developing and spreading: smart cards associated with a secret code, sending secret code on the mobile phone ... In a professional setting, to protect access to the information system, companies, professional organizations and administrations have, for some (particularly where there are important issues of confidentiality or traceability), identification devices supported by smart cards. Internally, the identification system and the rights management system can rely on a comprehensive directory of all employees; the question of the common identifier is not normally a problem. On the other hand, the internal information system is often very technologically varied: while the framework for using teleprocedures relies mainly on highly standardized Internet technologies, internal information systems often consist of historical stack of many technologies, which have various rights management and not really simple to converge.

We conducted research on five criteria: -The first concerns complete solutions for identity management with the keywords "management? And identities?" and we found 206 results. Out of these 206 results, three drew our attention to similar points, namely:

Patent No. WO2009000276A1 Title: "Identity Management System for Assigning End-User Rights to Access Systems Attached to a Central Server"

We have a common server that centralizes access rights but our system differs in access management and in the way our central server correlates information and access rights, through our independent authentication factors related to our transponder system and the use of technology (DTN) Delay Tolerant Networks.

The patent N-EP1760647A2 Title: "Method and device for managing files with mobile devices, a corresponding software and a corresponding computer-readable memory"

We have in common the use of a smartphone for access to the file however our system differs on how to access the file and on their use. We handle files that will be stored on accessible virtual machines only at this time. In addition, the smartphone in our case is used as a means of authentication and not tools to manipulate files finally we differ in our independent authentication factors related to our transponder system.

The patent N · FR2963516A1 Title: "Method of authentication of a user of the Internet network having a mobile phone of the smartphone type"

We have in common the use of a smartphone as a means of authentication but our system differs on the fact that we use the smartphone to receive temporary identifiers, and not as an application to enter a password that is sent to the server. In addition, our application has its own encryption and our independent authentication factors related to our transponder system. -The second concerns the RFID-GPS dongle with the key words "RFID? And GPS?" and we found 54 results. Out of these 54 results, all combine these two technologies in the context of a use of location of products or objects but none uses the combination of these two technologies in the context of authentication and transponder as our system. -The third concerns the Bluetooth-GPS dongle with the keywords "Bluetooth? And GPS?" and we found 69 results. Out of these 69 results, two drew our attention to similar points, namely:

Patent No. WO2009073291A2 Title: "Modification of the operation of a mobile device using proximity relations"

This system invented by Microsoft allows to exchange content if two mobiles are nearby and uses a non-cellular network (Bluetooth RFID wifi ect ...) the GPS position is used to set the position of both mobiles to send an alert that the other mobile device is nearby.

Our system is different since it allows to give the localization of a PC so that this information is confronted with the position of a smartphone. This confrontation will or will not lead to a connection or a connection interruption if the smartphone moves away from the PC.

Patent N-W00158098A2 Title: "Determination of position using Bluetooth device"

This system makes it possible to share the GPS position with all the devices nearby.

Our system differs in that it uses a dongle that provides a GPS position to the PC and the smartphone that has its own GPS position that will be faced for strong authentication and as a transponder to maintain the connection. -The fourth concerns NFC locks with the key words "lock? And NFC?" and we found 7 results. Of these 7 results, the 7 have retained our attention on the similar point that they are all controllable by a laptop like our system but differ in the sense to know for:

The patent N · FR 2945177 (Al) Title: "Secure programming and management system for locks comprising contactless communication means and controllable by an NFC mobile phone"

This system uses a smartphone to program an electronic lock with a unique algorithm for each coupled lock.

We have in common the use of a smartphone and an electronic lock that communicates through NFC. However we use the smartphone as a means of authentication with the server managing access through the NFC lock which serves as a means of connection.

The patent N-FR 2945137 (Al) Title: "Programming system of a lock comprising contactless communication means of the NFC type"

This system uses a smartphone to program and then can operate the electronic lock by NFC.

Our system differs in that the smartphone alone does not operate the electronic lock, opening management being performed by the server after authentication of the smartphone through the NFC via the lock.

Patent NFR 2945162 (A1) Title external power supply system of a lock comprising contactless communication means of the NFC type "

This system allows to operate an electronic lock with a smartphone through the NFC. The electronic lock does not receive an external power supply but receives it by the smartphone for its operation via the NFC.

Our system differs initially in the fact that the smartphone only communicates through the lock with the server via the NFC of the lock. As a result that the power and the order of opening are provided by the server.

Patent EP 2425581 (A1) Title: "Programming system of a lock comprising contactless communication means of the NFC type" and the patent EP 2425405 (A1) Title: "Secure programming and management system for locks comprising means of communication without contact and controllable by an NFC mobile phone "

These two systems make it possible to program an electronic lock via the NFC each in a different way.

Our system does not manage the programming of the lock.

Patent EP 2425516 (A2) Title external power supply system of a lock comprising contactless communication means of the NFC type "

This system allows a power supply of the lock by the smartphone.

Our system does not handle the power of the lock by the NFC

WO 2012073265 (A1) Title: "Method for controlling and managing access keys to spaces delimited by electronic locks and the like, and device that can be activated as a key according to said method"

In this system, the request for authentication by a computer that sends to a server, which in turn generates keys sent under GPRS to the smartphone to operate the lock via NFC.

Our system works in a similar way in its architecture but differs in the sense that all the exchanges is done only via NFC; that we use unique encryption for each smartphone; that our lock is not autonomous the verification being done by the server which authorizes or not the opening; that we use an additional element, an IP camera which at each access request will zoom in on the area and will proceed to a recording in case of failure but also make sure that another person will not benefit from access at the same time. This system makes it possible to program an electronic lock via the NFC. Our system does not manage the programming of the lock. -The fifth concerns the DTN Delay Tolerance Networks technology with the keywords "delay? And tolerance? And network?" and we found 22 results. Of these 22 results none is relevant to our invention.

Presentation of the invention

Technical Issue: According to CLUSIF today, the proliferation and diversity of access control systems related to operating systems and applications has become particularly counterproductive. Indeed, each "system" (OS, NOS, messaging, groupware, business applications, ERP, CRM, etc.) is protected by a specific access control procedure. In fact, each function to be performed may require an access code and associated rights. This multiplicity of access controls is confusing for the user who, for example, loses or forgets his passwords. He then has two solutions: either he solicits the help-desk service, at the risk of clogging him by wasting too much time to reset very often passwords, or he notes said codes on a support within reach to forget them! Of course, none of these solutions is satisfactory ... In general, each operating system and / or application is managed by a single administrator; in fact, any global vision is impossible. In this case, the autonomous administration of each system is particularly source of errors, vulnerabilities and loss of time. Generally, newcomers are allocated more or less quickly some resources (an office, a phone, an access badge, a PC, etc.), but can not work, for lack of access rights. This is particularly because the time allocation of resources and rights is too long, the allocation circuits are too "heavy", etc. They often even have to fend for themselves: find the right person responsible for accessing such a database, such an application, the Intranet, etc. The list of interlocutors is commensurate with the complexity of the Information System. On the other hand, one is seldom certain to have removed all the rights available to a departing employee or to have updated the rights of an employee in the event of a change of function and as a result the Information System abounds often called "ghost" accounts (dormant and / or outdated). In addition, the generic technical accounts, installed by default, by the operating systems and / or the applications, are not always modified or even deleted, inducing other flaws. This is all the more serious as these passwords are easily accessible on the Internet ... Similarly, some people use, when they arrive in the company, user accounts "generic" and shared, simply because of the important time of creating their own account. Finally, auditing and traceability are often the poor parents of the implementation of user access rights. Yet, more and more, companies must comply with strict standards, laws and / or regulations regarding internal control policy. By default, the elements of "account creation" are declarative. In many cases, the issuance of a commercial service can be content with this declarative nature of the information. Nevertheless, certain legal obligations may be imposed on the service provider, who must "ensure the identity of the person". Some services delivered by companies actually require a very high level of assurance of identity elements for access to resources. Once the account is created, once the known user of the online service, it is necessary at each new opportunity, to connect, to be recognized by the service, with an authentication device to ensure that the the person who connects is the one associated with the account. Authentication devices available in online services are varied. The most common are based on passwords, with more or less complex requirements (lengths, special characters, ...); the more advanced authentication devices are developing and spreading: smart cards associated with a secret code, sending secret code on the mobile phone ... The multiplicity of authentication means, especially when it comes to words password, is penalizing for users of services, who are tempted to reuse many times the same passwords, which is a significant risk of capture and fraudulent use. In parallel, the service provider must multiply the verification devices, which can end up being expensive.

For administrations, the management of access and identities is most often the link between the person who connects and the "account" available to the administration. In the situation and in this context, it is generally necessary for the administration and the user in question to share information that a third party can not know (a secret), which the user will enter to prove that he or she is the one that corresponds to the file. For examples:

The internet consultation service of the balance of points of the driver's license requires the user to produce a secret code that he will obtain from the prefecture; the digital services of the CAF will require the recipient to produce a secret code that he has obtained by mail from his CAF; the digital tax services will require the representative of the tax household to provide information on a tax notice sent to the home. Thus, the "personal file" can be attached to the individual but it is important to note that the establishment of such a device has many security flaws in any case can not guarantee strong authentication. In addition, a form of digital identity card, on its own, would not simply solve the difficulty for a given system of "making the connection" between the individual who declines his identity, and the "individual file" corresponding thereto. is basically linked to the fact that the different information systems of the administrations rely on distinct identifiers example: the system of management of driving licenses is organized around the number of license of driving, the information system of the caisses d ' family benefits is organized around the number of recipient, the tax information system is organized around the tax identifier, attached to the tax home. The multiplicity of different identifiers is obviously a hindrance to the ability to pool the means of identification and authentication of users and a brake on the organization of transversal procedures between several administrations and this nevertheless leads to make complex and inefficient development of online services and transversality between administrations. And paradoxically, the overlapping of information between sets of data consisting of an aggregate of traces, publicly available information and data stored in information systems, has never been easier with the big data technologies. applied to "data mining" The development of digital procedures across multiple administrations requires an alignment of identity management in these procedures; it is not only a matter of organizing the interoperability of the means of authentication, but really of organizing the transfer or the sharing of data between administrations. This requires an alignment of formats, definitions, organization of data, or management rules on these data, in state information systems that must rely on identity data, or data attached to an individual (address for example). Data relating to means of identification and authentication (system of password, certificates, card, ...), the identity of the person as known in the system, roles and rights associated with this person, must necessarily be distinguished in information systems, otherwise interoperability or scalability can be difficult.

In a professional context, to protect access to the information system, companies, professional organizations and administrations have, for some (particularly where there are important issues of confidentiality or traceability), identification supported by smart cards. The preceding reflections apply to this professional framework, with some differences:

Internally, the identification system and the rights management system can rely on a comprehensive directory of all employees; the question of the common identifier is not normally a problem. On the other hand, the internal information system is often very technologically varied: while the framework for using teleprocedures relies mainly on highly standardized Internet technologies, internal information systems often consist of historical stack of many technologies, which have various rights management and not really simple to converge. The employees or agents of the entity concerned may have to use third-party systems, on which it seems appropriate to use the same means of identification. The third-party system must be able to grant access rights, after "enrollment", to each employee or agent who must benefit from it. The mechanisms to be put in place may again be of various kinds, depending on the distribution of responsibilities: In the ideal case, the right of access is deduced from the "role" available to the employee or agent, whether his or her employer has defined and registered in a system accessible to third parties; Otherwise, a "case by case" enrollment is necessary.

And as regards the state administrations and its agencies to date, the internal identification systems structures, directories, management rights, ... are not shared, and weakly interoperable. They are uniquely aligned with respect to smart card and certificate authentication, compliance with the RGS, and the deepest technology layers.

At a time when the transversal and shared information systems of the State are multiplying, and with the sharing of common infrastructures, it appears essential to set up a common platform for the management of identities and access for agents within the organization. state information system, with at least a common repository of agents, a harmonized system of authentication, sharing and role recognition schemes (a common security framework and technical framework, frameworks for uses related to the needs of the entity) The deployment of RGS referenced devices ensures a progressive alignment to shared authentication means, usable in all systems. Nevertheless, the certification chain guarantees only the quality of the identification (if any of the electronic signature) of the agent, but is not designed to manage the role of the identified person, and consequently the rights associated with this role. To date some means of authentication of identity management and role management use a "keychain" authentication service, independent or not of the online regal identity, which finds its use by using the smartphone object used in all homes. However, if the use of the smartphone makes it possible to avoid various authentication means such as smart card, dongle, token ... the solutions developed only offer independent identification factors presented as strong but which unfortunately do not solve the problems. points of problem mentioned above and have security flaws.

Concerning the management of presence in the company it is often done by means of badges which can be forgotten or misplaced, which do not guarantee most often that the holder is indeed the holder and which, if they appeal to biometric technologies do not know with certainty and in real time if the bearer is always present and where he is with certainty in the company.

Technical Solution: Our Identity and Access Management solution is a tailor-made cybersecurity solution that is unique to each user and for each IT, but also in the way we combine various proprietary technologies to manage the entire IT system.

This system is innovative from: -1) Its five strong independent authentication factors: Unique ID related to ΓΙΜΕΙ and mobile terminal phone number or processor serial number and any other unique and relevant information related to the device according to the terminal used,

A data encryption that is unique to each user with a GPS position correlation repudiation value,

A random and dynamic encrypted virtual keyboard unique to each user,

Biometric identification,

A password. - 2) By its architectural design that we have studied and which centralizes the single-point governance of the IS allowing among others the management of ghost profiles and rights of access in real time, and in its management of authorizations reinforced by a system embedded virtual that is formed only when the person is logging to have access to its resources, - 3) By our technology that generate temporary identifiers encrypted and used to guarantee access to resources designed to defeat all techniques interception and spoofing known to date such as: Social Engineering, Man In The Middle (MITM) Virus (trojan), Screenschot, Watering hole. - 4) Through the correlation of various information or devices to prevent fraudulent use which in addition to biometric authentication, uses geolocation to verify authentication. A repudiation system is used in case an anomaly would occur during authentication. In addition through our transponder link used to enhance security if a customer moves away from his station the communication will be interrupted immediately. - 5) By the use of DTN Delay Tolerant Networks technology which is a technology for communication in "extreme" conditions that adopt a "store and forward" logic, more suited to intermittent connectivity, and high latency links and high bit error rate that enables real-time and continuous presence management

Advantages provided by the invention:

Our solution offers: o Federation and identity sharing, allowing the simple reuse of identities across different services, o a mobile terminal "Keychains" authentication, to limit the effects of the profusion of authentication devices , o Audit and Permanent Reporting of user activity to verify compliance with rules and contribute to compliance, o a Base Administration, to pool authentication systems, to pool directories and to make interoperable information systems, which limits the profusion of identification and access management solutions to state information systems or a Business Base, to simplify relations between companies, administrations, with a dematerialization more complete and successful based on a simplification of processes made possible by the digital, o A federation of platforms exchange forms to favor the exchange of system to system in substitution of dematerialized forms and technical and regulatory devices allowing the development of uses of the system in the commercial sphere. o A presence management module that enables real-time and continuous presence management with instant messaging The advantage of the whole system is its unique identification and authentication process, which allows us to the link with a known unique identifier guaranteeing a high level of confidentiality and security as well as inviolability of the identity avoiding any impersonation according to the methods known to date. It makes it possible to define, in order to access the resources, the identification and authentication means that are acceptable and scalable according to the confidence that can be granted by means of authentication according to the level of the required authorizations. It secures the information system in depth of potential attacks ensuring both surveillance, detection and response. It responds to targeted attacks collected by Social Engineering (facebook, linkedin, ...) using identifiers and dynamic code unknown to the user and managed randomly in an infinite combination.

It offers an optimum level of security in the state of the art, cost control, ease, optimization of working time, responsiveness, audit-reporting follow-up.

It allows to make sure of the presence of the carrier in the space defined by having his position in real time and continuously and to be able to benefit from an instantaneous messenger in this defined space Description of the drawings:

Figure 1: Metadirectory: Directory related to the Active Directory or any other directory. SGBD SI ERP: SGBD of the ERP of the Company's IS already in place. SGBD SI ...: Any other application DBMS requiring access rights on the IS (CRM, ...)

Filer: Filer or print server already in place in the Company

Content: Content management server already in place in the Central DBMS Company: DBMS centralizing all rights management parameter databases for existing applications on the IS. A replication system will consider every change made to the application databases. This database will centralize the administration of different applications requiring authentication.

Brain: This is the brain of the system, it is this server that will make the link between a user / identity, a profile and the system that will be assigned. This server will be responsible for building the OS and making it accessible to each authenticated machine to be loaded in "Live"

SoC / SoC DBMS: Integration of the SoC system to retransmit the identifiers in an encrypted way. This system can be adapted to transmit identifiers between the phone and the client computer. SSO: Directory-based single sign-on authentication via the metadirectory as well as each central authentication parameter on the Central DBMS.

Syslog: This server centralizes the logs of the entire infrastructure in order to be able to manage them more productively via the web administration interface. This centralization allows the feedback of information to each authentication error, disconnection , an attempt at usurpation, whatever the attack used. NFS: This server will host the data of the different levels. These mounts will be mounted automatically at the start of the new OS once the biometric authentication has been validated.

Admin Admin / Admin DBMS: Main application for identity management.

Figure 2: SE: user's electronic lock SU: Mobile.

Soc: Soc server identified in Part 1 of Figure 1 Figure 3: SU: Mobile or smartphone of the user Brain: Central server

Sco: Correlation Server for DTN Technology

Detailed description of the invention: We use a mobile terminal (SU) with a proprietary application installed beforehand that has been downloaded from our server via a URL or platforms offering our solutions (ex: appstore, samsapp, Windows Mobile )

This application includes a biometric identification system required for its use as well as a user-defined 4-digit code. This application uses a random and dynamic virtual keyboard and a proprietary encryption whose main characteristics are:

For the virtual keyboard, a numeric or alpha-numeric virtual keyboard that is both dynamic and random with a proprietary unique encryption that is generated with each use including a number of infinite combinations. This keyboard has been designed to respond to all the information hijacking techniques known to date to resist keylogger-type intrusions, keylogger-equipped virus, Man In The Middle (MITM screenshot), the last Watering Hole fault on i.e.

For our proprietary encryption, it runs under a Client / Server architecture with the generation of a unique ID which is determined at each installation and which is related to ΓΙΜΕΙ and the phone number of the smartphone (SU), or serial number the processor and any other unique and relevant information related to the device according to the terminal used. The whole thing is combined with a geolocation of this ID which by this makes it possible to guarantee that the user who accesses a resource or an electronic lock is in the same place as the user who requested the access. Added to this is a transaction ID that is renewable on each connection. For real-time and continuous presence management we use the Delay Tolerant Networks (DTN) technology which is a technology for communication in "extreme" conditions that adopt a "store and forward" logic, more adapted to intermittent connectivities, and high latency links and high bit error rate. The architecture of the present invention is a centralized management system consisting of 4 major parts:

Part 1 Identity Gesture

A central server (brain). Meta directory

Central database (DBMS CENTRAL).

A single authentication system (SSO).

An NFS server.

A Sco server. This server is a correlation server for the DTN A syslog server. This server is shared with SoC A central application managing the construction of jails.

A Web Administration Server (Web Admin)

A database for administration (DBMS Admin)

Part 2 Proprietary Encryption The SoC System (SoC).

SoC database (SoC DBMS).

A syslog server. This server is shared with the centralized system Part 3 Communication interface with SoC and centralized system A transponder Bluetooth / RFID / GPS (Tr)

An electronic lock (SE)

A smartphone with RFID / Bluetooth (SU) embedding a safe application (Keystore home).

An IP camera (Cip) connected on the network.

Part 4 SI of the client. For a turnkey solution all these elements (according to the need of the customer) are embedded in part 1.

A file server (SF)

A content server (SC).

ERP database (SGBD SI ERP).

IS database (SGBD SI: DBMS COMPTA ...) On arrival of the user in the perimeter defined by the administrator, it is recognized by the Sco server and its entry with all the time of presence on the places are saved on the syslog server. In the case of an access equipped with our electronic lock (SE) the user to access his office uses his mobile terminal by launching the proprietary application which will allow him to open the door. At the launch of the application is performed a facial recognition through its mobile terminal (SU). If the acknowledgment is validated, the application can be used. Otherwise it is proceeded to another request, with a security which at the 3rd attempt proceeds to the blocking and sends a message to the central server (brain) which will disable this account the time to solve the problem.

Once the application is launched, the user places his mobile terminal near the electronic lock (SE). Communication via NFC is then initiated between the mobile terminal (SU) and the electronic lock (SE). During this exchange the electronic lock (SE) sends a request to the central server (brain) for an opening request. The server receives the request for the electronic lock (SE) and sends a 4-digit random and temporary code that is transmitted via NFC to the mobile terminal (SU). This code is encrypted with proprietary encryption, and it is sent to the central server (brain) by two possible means: via the wifi / edge / 3G / 4G network or any other means of communication or by using the network to which the lock is connected electronics (SE) via the NFC.

The central server (brain) thus receives the encrypted information request to open the electronic lock (SE). This information includes: the electronic lock ID (SE), the 4-digit code to ensure that the user is in front of this door. This information is decrypted by the server which verifies the code sent via the smartphone of the user with the code assigned to the electronic lock (SE) for this opening request.

If the verification is validated the server sends an opening request to the electronic lock (SE) to open the door. At the same time the presence of the user with his time of entry into the institution is recorded on the syslog server.

Otherwise the central server (brain) uses the camera ip (Cip) to record the person in front of this door, updating the incident file.

To access data and applications according to his level of authorization via his PC, he uses his mobile terminal by launching our application. It is then carried out the facial recognition of the user through its mobile terminal (SU), which once validated and accompanied by its pin code (depending on the level of authorization) will ask the server SoC for the identifiers to access this PC.

Once the identifiers received on the mobile terminal (SU) they are recorded in the keystore of the application owner of the mobile terminal (SU) thus splitting no visible password on the mobile terminal (SU). The user himself having no knowledge each time of these identifiers. The user will then have 5 minutes to approach his mobile terminal (SU) transponder (Tr) connected to the computer (PC) or PC depending on the solution set up, otherwise the identifiers will expire. Authentication will be validated by:

The SoC system integrating the geolocation taking into account the position of the mobile terminal (SU) must be in a security perimeter defined around the computer (pc) on which the authentication will be requested.

The validation of the identifiers that will be secured via the SoC system (proprietary encryption, random dynamic virtual keyboard)

Once the authentication is validated and confronted with the rights of the user, a basic profile conforming to the authorization level authorized (ex: Level 1,2, 3,4,5) is applied to build the future system of the user. user who will be accessible once validated the correlation of the position of geolocation of the mobile terminal (SU) with the position of geolocation of the transponder (Tr) if transponder, or the position of geolocation of the pc via its IP address, according to the centralized security device used. This authentication will allow the user to automatically connect to any applications accessible through the user's profile without having to relocate using SSO SSO technology. This profile will make it possible to link to a different identity access to resources according to the level of authorization and it will be kept connected as long as the mobile terminal (SU) will remain near the transponder or the PC. The database (central DBMS) will contain all the information of the different entities composing the IS. A replication system makes it possible to link the database (central DBMS) with the various DBMSs as well as a meta-directory (Meta directory) which makes it possible to link the existing accounts of an AD or an LDAP directory. In this way the management of the rights on the different entities of the IS can be centralized and manipulated by the single administration web interface. A Life Cycle Management of users will be done automatically in direct link with the accounting DBMS accurately establishing the dates of entry and exit of users in the company. Once this profile is built, it is applied to a skel of a linux OS minimum. This skel will be enriched by the profile-specific binaries (rm, Is, touch, vim, crontab, tcpdump, .....) as well as by the libraries that go with it as it should, and its personal directory to which will be added the documents for which he will have access according to his level of authorization.

Example: In the case where the user has a Level 1 authorization his personal directory will give him access to all the information to which he will be entitled covering Level 2, 3, 4, 5.

Knowing that:

Level 1 = Access Rights Level 1, 2, 3, 4, 5 Level 2 = Access Rights Level 2, 3, 4, 5 Level 3 = Access Rights Level 3, 4, 5 Level 4 = Access Rights access Level 4, 5 Level 5 = access rights Level 5 The architecture of our centralized security system makes it possible to make each level both independent of each other but also, depending on the level of security, to bring them together. under the same environment that will be established at each connection. The tree to which it will have access will have this form. - / etc - / lib - / Iib64 - / usr / lib - / usr / lib64 - / usr / bin - / usr / sbin - / bin - / sbin - / var - / sys - / proc - / home

The profile will consist of data, commands and software to which the user will have access. This configuration will be responsible for composing the following partition tree: - / etc - / lib - / Iib64 - / usr / lib - / usr / lib64 - / usr / bin - / usr / sbin - / bin - / sbin - / var - / sys - / proc

The / home directory will be an NFS mount related to its level of entitlement and will therefore only offer the resources to which it will be entitled.

Regarding access to web applications a firewall system (IpTable) will be configured to filter access to the servers hosting these applications, the user will then be blocked or allowed to join a Web application according to its authorization. The logs of this system as well as the history of the actions performed by the user will be centralized on a syslog server (Syslog), thus the correlation of the various actions of the user and the application logs will be simplified thanks to an interface of main administration.

The construction of this system is dynamic at each connection, implies that once disconnected the complete system will be deleted, while retaining the actions that the user will have made and the applications used, all transcribed on the syslog server (Syslog) . The user can then disconnect in the most conventional way.

An additional security system was set up allowing the crash of the session and mechanically the removal of the system if the smartphone is away from the transponder (Tr) connected to the computer or the PC.

Area of Application: Our centralized security device finds its place in organizations (SME-SMI, Administrations, cloud, etc.) that need to access information safely and safely internally and web by providing optimal security with several independent authentication factors ensuring access to critical and relevant corporate information while respecting the importance of visibility and control over rights and access permissions of everyone and who need to be able to manage all the movements (input, output, presence) of people in real time and continuous with certainty.

Example of use: • Commercial sales force management • Presence and physical access management • Defense authorization management • Remote data management (cloud) • Private club • Online poker • Control and management of identities ...

Claims (7)

claims 1. Centralized security system (Figure 1) for intelligent identity management and intra and extra-mural perimeter access rights to information system (IS) and cloud, using mobile equipment (SU Figure 1 and 2) ) on which is installed a proprietary application including a biometric identification, which once its database authenticated user generated a unique ID determined at each installation and which is related to ΓΙΜΕΙ and mobile terminal phone number (SU Figure 1 and 2) , or the serial number of the processor and any other unique and relevant information related to the device depending on the terminal used. This application uses a virtual keyboard that is dynamic and random with unique encryption for each application and that communicates under a client-server architecture (Figure 1) using a unique random dynamic encryption owner (SoC Figure 1) generating an encrypted temporary identifier at each transaction and unknown to the user; as well as several independent authentication factors characterized by the use of geolocation established as a repudiation factor; by a transponder system (Tr part 3-Figure 1) maintaining the established connection; empowerment management enhanced by a virtual embedded system that is only formed when the person is logging in to access their resources; by the encrypted management via NFC of an electronic lock (SE Figure 2) in that we use a mobile terminal (SU Figure 2) to send an opening request to the server (Brain Figure 1) via the NFC communication protocol of the lock (SE Figure 2) after which after identification of the mobile terminal (SU Figurel and 2), the electronic lock (SE Figure 2) and the verification of access rights, a code is generated by the server (Brain Figure 1); transmitted via the NFC communication protocol of the lock (SE Figure 2) to the mobile terminal (SU Figure 1 and 2), code which once received is encrypted by means of proprietary encryption unique to this user, integrated in the installed proprietary application on the mobile terminal (SU Figure 1 and 2), and transmitted to the server (Brain Figure 1) via the NFC communication protocol of the lock. Upon receipt of this code and after verification of this code the server allows or not the opening; and in that we use an additional element, an IP camera (Cip part 3-Figure 1) which with each request of access will zoom on the zone and proceed on the one hand to a recording in case of failure but also s will ensure that another person will not benefit from simultaneous access through an enumeration authentication system, as well as presence management using DTN Delay Tolerance Networks technology including instant messaging. 2. centralized security system (Figure 1) seloh claim 1 wherein we use the established geolocation as a repudiation factor characterized in that the connection will be established only after performing the correlation between the position of the mobile terminal (SU Figurel ) with the position of the computer (PC Figure 1) established by means of a transponder (Tr part 3-Figure 1) or ΓΙΡ. 3. centralized security system (Figure 1) according to claim 1 and 2 wherein we use a transponder (Tr part 3-Figure 1) maintaining the established connection characterized in that this transponder uses RFID or Bluetooth technology combined with technology Gps to establish, within a predetermined time, the connection to resources, applications and information internally and via the Web via the computer (PC Figure 1) and maintain this access as long as the mobile terminal (SU Figure 1) will stay close to the computer (PC Figure 1) 4. centralized security system (Figure 1) according to claim 1 wherein we use a virtual embedded system that is formed at the moment the person is housed to access its resources characterized in that we use for the building the virtual embedded system to binaries and system files combined with files and applications to which the user will be entitled. 5. centralized security system (Figure 1) according to claim 1 wherein we use geolocation for real-time and continuous presence management in a defined perimeter characterized in that we call for a correlation between a point defined in a zone and a moving point in a perimeter around this zone (Figure 3) to the use of the DTN Delay Tolerant Networks, which is a technology for communication in "extreme" conditions and adopting a "store and forward" logic, more suited to intermittent connectivity, and high latency links and high bit error rate. 6. centralized security system (Figure 1) according to claim 1 wherein we use an instant messenger in real-time and continuous presence management characterized in that we call to exchange information in real time and continuously between two static or in-motion users within range within a defined perimeter, the use of the DTN Delay Tolerant Networks, which is a technology for communication in "extreme" conditions and adopts store and forward ", more suited to intermittent connectivity, and high latency links and high bit error rate. The centralized security system (FIG. 1) according to claim 1, or which, as a whole, qualifies our invention as a centralized security system (FIG. 1) for the intelligent management of identities and access rights, characterized in that we use the Accounting SGBD of the SI to validate in real time the rights of users and thus remedy the problems of ghost profiles.